I don't use it in my own job, but Matias Brutti and Mike Ridpath of IOActive did a presentation here at B-Sides PDX this last weekend on how they use SE, along with recordings of calls they've done on the job:

Okay cool. I've seen that book a couple of times on Amazon, I'll have to double check if safari books has it . I've read one SE book and it was really interesting. The author would start with his story and after the 1st page I would try and guess what kind of information he was going after but I was never right. He would go 5 steps to the left just to get a little piece of information, then do something else where I was like " how does this relate at all"..then BAM he finally tells us what he was doing and it all made sense. I feel like SE is almost impossible to stop if someone plans the SE well enough.

if Social Engineering is defined as "an interaction with a person that causes them to give you information that may not be in that person's best interest but is used to benefit the person asking" (and imho this is a good definition) then technically, no, i don't use it. I don't interact with them until i return their call/e-mail.

That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I'll be in a safe situation, but it's also good to find out whether they can afford me!

Also, finding out as much as i can helps me to make sure I offer them what they're looking for. I always say that "affordable is relative" because what one guy would pay $100 for, another guy might pay $1000. The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

Kind of a roundabout way of answering your question but i hope that helps.

OneManicNinja wrote:if Social Engineering is defined as "an interaction with a person that causes them to give you information that may not be in that person's best interest but is used to benefit the person asking" (and imho this is a good definition) then technically, no, i don't use it. I don't interact with them until i return their call/e-mail.

That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I'll be in a safe situation, but it's also good to find out whether they can afford me!

Also, finding out as much as i can helps me to make sure I offer them what they're looking for. I always say that "affordable is relative" because what one guy would pay $100 for, another guy might pay $1000. The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

Kind of a roundabout way of answering your question but i hope that helps.

Social Engineering is defined as the process of deceiving people into giving away access or confidential information. Wikipedia defines it as: "is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim."[1] Although it has been given a bad name by the plethora of "free pizza", "free coffee", and "how to pick up chicks" sites, aspects social engineering actually touches on many parts of daily life. Many consider social engineering to be the greatest risk to security.[2]

@cyber.spirit - ethical hackers ABSOLUTELY use social engineering. Its use depends on the scope of the contract, but if physical security and system access are called out, then it's critical to be able to use social engineering skills to gain access and gather information. Even if physical security is NOT in scope, there are times when impersonation over the phone or email, or other SE tactics are still VERY useful in gathering recon data to scope out and penetrate the target.

(Edit: Remember, the goal of a good pentester is to show a company their weaknesses... If that includes proving that security awareness training is not a solid piece of the target company's security posture, then so be it...)

Last edited by hayabusa on Thu May 31, 2012 6:42 am, edited 1 time in total.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'